httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael A. Peters" <mpet...@domblogger.net>
Subject Re: [users@httpd] redirect port from 80 to 443
Date Sat, 18 Feb 2017 22:58:34 GMT
Most of my hosts are HTTPS only - I do have one host that allows port 80 
for a yum package repository, https isn't needed there because the 
packages themselves are signed and yum validates them on the client side 
before installing.

This is an example of what I do:

<VirtualHost 45.79.96.192:80>
ServerName librelamp.com
Redirect permanent / https://librelamp.com/
</VirtualHost>

<VirtualHost [2600:3c01::f03c:91ff:fee4:310c]:80>
ServerName librelamp.com
Redirect permanent / https://librelamp.com/
</VirtualHost>

<VirtualHost 45.79.96.192:80>
ServerName www.librelamp.com
Redirect permanent / https://librelamp.com/
</VirtualHost>

<VirtualHost [2600:3c01::f03c:91ff:fee4:310c]:80>
ServerName www.librelamp.com
Redirect permanent / https://librelamp.com/
</VirtualHost>

I also send the HSTS header and OCSP stapling and HSTS Preloading in 
Chrome, Edge, FireFox, and IE so that those clients will only ask for 
the secure version of any links to the domain.

All you have to do to get HSTS preloading is send the header and then 
submit the domain to Chrome for HSTS preloading. Once in Chrome, it 
fairly quickly is added to the others.

That is more secure than an Apache redirect because a request to port 80 
and/or the response can be modified by a MITM but if the browser knows 
to only request the secure version, that is no longer an issue.

On 02/18/2017 12:02 PM, Dr James Smith wrote:
> As I only run HTTPS - I have the following on port 80 - (this can't be
> done with redirect)
>
> <VirtualHost *:80>
>
>   ...
>   ...
>   ...
>
>   RewriteEngine on
>   RewriteCond   %{REQUEST_URI}  !^/.well-known/acme-challenge
>   RewriteRule   ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI}
> [R=permanent,L,NE]
> </VirtualHost>
>
> So I only have one port 80 configuration - even tho' I'm running
> something like 30 sub-domains on one machine and 70 sub-domains on the
> other...
>
> {There is some other stuff associated with this - and I've got HTST
> headers set - and preloaded where I can - so most browsers won't hit the
> port 80 anyway!}
>
>
> On 18/02/2017 19:00, Daniel wrote:
>> Yes please, let's stay away of convoluted and most times innecessary
>> mod_rewrite examples to do simpleton configurations.
>>
>> If you are in virtualhost 80, you have specified servername correctly
>> and you just want to redirect to ssl, why not a single Redirect statement?
>>
>> As Yann's refered document says:
>> Redirect / https://something.example.com/
>>
>> Most people here knows this but there are gazillions web pages
>> refering to bad advice, duck and tape solutions and convolued ways of
>> using mod_rewrite for a simple redirection when placed in proper
>> context, we need to finish with that trend, and the best way is to
>> give simple, straight to the point examples "first".
>>
>> The mod_rewrite example given,lets slice it out:
>> > RewriteCond %{HTTP_HOST} =www.example.com <http://www.example.com/>
>> > RewriteCond %{SERVER_PORT} =80
>> > RewriteRule ^(.*)$ https://www.example.com/$1 [R]
>>
>> This clearly assumes it is a generic recipe in a .htaccess somewhere
>> which can be read from a non-SSL virtualhost or non-SSL virtualhost
>> (just to be ignored).
>>
>> 1º It checks the host name, but why? if you have defined a VirtualHost
>> with that servername and there are no conflicts the request is already
>> landing there.
>> 2º It checks for port 80. But we are redirecting to SSL, so we are
>> already on port 80, why check it?
>> 3º Can be replaced with a Redirect as mentioned above.
>>
>> So instead of giving out recipes for .htaccess thought out for an
>> aging era or shared virtualhosting, lets recommend the ideal
>> virtualhost context recipe first as Yann proposed earlier:
>>
>> Define the virtualhost with the names you serve.
>> <VirtualHost *:80>
>> ServerName something.example.com <http://something.example.com>
>> Redirect / https://something.example.com/
>> </VirtualHost>
>>
>> There is no guessing here, no unnecessary directives and it's hard to
>> miss or confuse with other directives and the context where it resides
>> is crystal clear.
>>
>> Later on, when things need to be complicated, then I guess we can use
>> "If" or "mod_rewrite", and recommend it as needed.
>>
>>
>> 2017-02-18 19:38 GMT+01:00 Richard <lists-apache@listmail.innovate.net
>> <mailto:lists-apache@listmail.innovate.net>>:
>>
>>
>>
>>     > Date: Saturday, February 18, 2017 11:04:34 -0700
>>     > From: James Moe <jimoe@sohnen-moe.com <mailto:jimoe@sohnen-moe.com>>
>>     >
>>     > On 02/18/2017 05:08 AM, Rodrigo Cunha wrote:
>>     >> i want redirect all request from port 80 to 443.
>>     >> what is better setting for fix this?
>>     >>
>>     >   Better than what?
>>     >   Fix? Is it broken?
>>     >
>>     > RewriteCond %{HTTP_HOST} =www.example.com <http://www.example.com>
>>     > RewriteCond %{SERVER_PORT} =80
>>     > RewriteRule ^(.*)$ https://www.example.com/$1 [R]
>>
>>     Perhaps, better than using a "rewrite"? See the documentation
>>     reference, given in an earlier post:
>>
>>       <https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect
>>     <https://httpd.apache.org/docs/2.4/rewrite/avoid.html#redirect>>
>>
>>     that has this as a specific example of when/why to use a "redirect"
>>     rather than a "rewrite".
>>
>>
>>
>>     ---------------------------------------------------------------------
>>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     <mailto:users-unsubscribe@httpd.apache.org>
>>     For additional commands, e-mail: users-help@httpd.apache.org
>>     <mailto:users-help@httpd.apache.org>
>>
>>
>>
>>
>> --
>> *Daniel Ferradal*
>> IT Specialist
>>
>> email         dferradal at gmail.com <http://gmail.com>
>> linkedin     es.linkedin.com/in/danielferradal
>> <http://es.linkedin.com/in/danielferradal>
>
>
> -- The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message